-2. On the **Configurations** page, select **Public web content in Microsoft Copilot for Microsoft 365**.

-4. Unselect the checkbox for Allow Copilot to reference web content.

-2. On the Copilot page, select **Public Web Content in Microsoft Copilot for Microsoft 365**.

-> Copilot is available in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels).

-| Dynamics 365 Marketing | CFQ7TTC0LH3N | No |

-| Dynamics 365 Marketing Attach | CFQ7TTC0LHWP | No |

-| Dynamics 365 Marketing Additional Application | CFQ7TTC0LHVK | No |

-| Dynamics 365 Marketing Additional Non-Prod Application | CFQ7TTC0LHWM | No |

-Users can't use any Microsoft 365 services until their account has been assigned a license from a licensing plan. You can use PowerShell to quickly assign licenses to unlicensed accounts.

-User accounts must first be assigned a location. Specifying a location is a required part of creating a new user account in the [Microsoft 365 admin center](../admin/add-users/add-users.md).

-## Use the Microsoft Graph PowerShell SDK

-## Use the Azure Active Directory PowerShell for Graph module

->[!Note]

->The Set-AzureADUserLicense cmdlet is scheduled to be retired. Please migrate your scripts to the Microsoft Graph SDK's Set-MgUserLicense cmdlet as described above. For more information, see [Migrate your apps to access the license managements APIs from Microsoft Graph](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366).

->

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).

-

-Next, list the license plans for your tenant with this command.

-```powershell

-Get-AzureADSubscribedSku | Select SkuPartNumber

-```

-Next, get the sign-in name of the account to which you want to add a license, also known as the user principal name (UPN).

-Next, ensure that the user account has a usage location assigned.

-```powershell

-Get-AzureADUser -ObjectID <user sign-in name (UPN)> | Select DisplayName, UsageLocation

-```

-If there's no usage location assigned, you can assign one with these commands:

-```powershell

-$userUPN="<user sign-in name (UPN)>"

-$userLoc="<ISO 3166-1 alpha-2 country code>"

-Set-AzureADUser -ObjectID $userUPN -UsageLocation $userLoc

-```

-Finally, specify the user sign-in name and license plan name and run these commands.

-```powershell

-$userUPN="<user sign-in name (UPN)>"

-$planName="<license plan name from the list of license plans>"

-$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

-$License.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value $planName -EQ).SkuID

-$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

-$LicensesToAssign.AddLicenses = $License

-Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $LicensesToAssign

-```

-## Use the Microsoft Azure Active Directory module for Windows PowerShell

->[!Note]

->The Set-MsolUserLicense and New-MsolUser (-LicenseAssignment) cmdlets are scheduled to be retired. Please migrate your scripts to the Microsoft Graph SDK's Set-MgUserLicense cmdlet as described above. For more information, see [Migrate your apps to access the license managements APIs from Microsoft Graph](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366).

->

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).

-Run the `Get-MsolAccountSku` command to view the available licensing plans and the number of available licenses in each plan in your organization. The number of available licenses in each plan is **ActiveUnits** - **WarningUnits** - **ConsumedUnits**. For more information about licensing plans, licenses, and services, see [View licenses and services with PowerShell](view-licenses-and-services-with-microsoft-365-powershell.md).

->[!Note]

->PowerShell Core does not support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with **Msol** in their name. To continue using these cmdlets, you must run them from Windows PowerShell.

->

-To find the unlicensed accounts in your organization, run this command.

-```powershell

-Get-MsolUser -All -UnlicensedUsersOnly

-```

-You can only assign licenses to user accounts that have the **UsageLocation** property set to a valid ISO 3166-1 alpha-2 country code. For example, US for the United States, and FR for France. Some Microsoft 365 services aren't available in certain countries. For more information, see [About license restrictions](https://go.microsoft.com/fwlink/p/?LinkId=691730).

-

-To find accounts that don't have a **UsageLocation** value, run this command.

-```powershell

-Get-MsolUser -All | where {$_.UsageLocation -eq $null}

-```

-To set the **UsageLocation** value on an account, run this command.

-```powershell

-Set-MsolUser -UserPrincipalName "<Account>" -UsageLocation <CountryCode>

-```

-For example:

-```powershell

-Set-MsolUser -UserPrincipalName "belindan@litwareinc.com" -UsageLocation US

-```

-

-If you use the **Get-MsolUser** cmdlet without using the **-All** parameter, only the first 500 accounts are returned.

-### Assigning licenses to user accounts

-

-To assign a license to a user, use the following command in PowerShell.

-

-```powershell

-Set-MsolUserLicense -UserPrincipalName "<Account>" -AddLicenses "<AccountSkuId>"

-```

-This example assigns a license from the **litwareinc:ENTERPRISEPACK** (Office 365 Enterprise E3) licensing plan to the unlicensed user **belindan\@litwareinc.com**:

-

-```powershell

-Set-MsolUserLicense -UserPrincipalName "belindan@litwareinc.com" -AddLicenses "litwareinc:ENTERPRISEPACK"

-```

-To assign a license to all unlicensed users, run this command.

-

-```powershell

-Get-MsolUser -All -UnlicensedUsersOnly [<FilterableAttributes>] | Set-MsolUserLicense -AddLicenses "<AccountSkuId>"

-```

-

->[!Note]

->You can't assign multiple licenses to a user from the same licensing plan. If you don't have enough available licenses, the licenses are assigned to users in the order that they're returned by the **Get-MsolUser** cmdlet until the available licenses run out.

->

-This example assigns licenses from the **litwareinc:ENTERPRISEPACK** (Office 365 Enterprise E3) licensing plan to all unlicensed users:

-

-```powershell

-Get-MsolUser -All -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses "litwareinc:ENTERPRISEPACK"

-```

-This example assigns those same licenses to unlicensed users in the Sales department in the United States:

-

-```powershell

-Get-MsolUser -All -Department "Sales" -UsageLocation "US" -UnlicensedUsersOnly | Set-MsolUserLicense -AddLicenses "litwareinc:ENTERPRISEPACK"

-```

-

-## Move a user to a different subscription (license plan) with the Azure Active Directory PowerShell for Graph module

-First, [connect to your Microsoft 365 tenant](connect-to-microsoft-365-powershell.md#connect-with-the-azure-active-directory-powershell-for-graph-module).

-

-Next, get the sign-in name of the user account for which you want switch subscriptions, also known as the user principal name (UPN).

-Next, list the subscriptions (license plans) for your tenant with this command.

-```powershell

-Get-AzureADSubscribedSku | Select SkuPartNumber

-```

-Next, list the subscriptions that the user account currently has with these commands.

-```powershell

-$userUPN="<user account UPN>"

-$licensePlanList = Get-AzureADSubscribedSku

-$userList = Get-AzureADUser -ObjectID $userUPN | Select -ExpandProperty AssignedLicenses | Select SkuID

-$userList | ForEach { $sku=$_.SkuId ; $licensePlanList | ForEach { If ( $sku -eq $_.ObjectId.substring($_.ObjectId.length - 36, 36) ) { Write-Host $_.SkuPartNumber } } }

-```

-Identify the subscription the user currently has (the FROM subscription) and the subscription to which the user is moving (the TO subscription).

-Finally, specify the TO and FROM subscription names (SKU part numbers) and run these commands.

-```powershell

-$subscriptionFrom="<SKU part number of the current subscription>"

-$subscriptionTo="<SKU part number of the new subscription>"

-# Unassign

-$license = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense

-$licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

-$licenses.RemoveLicenses = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value $subscriptionFrom -EQ).SkuID

-Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $licenses

-# Assign

-$license.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value $subscriptionTo -EQ).SkuID

-$licenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses

-$licenses.AddLicenses = $License

-Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $licenses

-```

-You can verify the change in subscription for the user account with these commands.

-```powershell

-$licensePlanList = Get-AzureADSubscribedSku

-$userList = Get-AzureADUser -ObjectID $userUPN | Select -ExpandProperty AssignedLicenses | Select SkuID

-$userList | ForEach { $sku=$_.SkuId ; $licensePlanList | ForEach { If ( $sku -eq $_.ObjectId.substring($_.ObjectId.length - 36, 36) ) { Write-Host $_.SkuPartNumber } } }

-```

-[Manage user accounts, licenses, and groups with PowerShell](manage-user-accounts-and-licenses-with-microsoft-365-powershell.md)

-

-

-[Getting started with PowerShell for Microsoft 365](getting-started-with-microsoft-365-powershell.md)

-description: "Connect to your Microsoft 365 tenant by using PowerShell for Microsoft 365 to do admin center tasks from the command line."

-# Connect to Microsoft 365 with PowerShell

-PowerShell for Microsoft 365 enables you to manage your Microsoft 365 settings from the command line. To connect to PowerShell, just install the required software and then connect to your Microsoft 365 organization.

-There are two versions of the PowerShell module that you can use to connect to Microsoft 365 and administer user accounts, groups, and licenses:

-Currently, the Azure Active Directory PowerShell for Graph module doesn't completely replace the functionality of the Microsoft Azure Active Directory module for Windows PowerShell module for user, group, and license administration. In some cases, you need to use both versions. You can safely install both versions on the same computer.

->[!Note]

->You can also connect with the [Azure Cloud Shell](#connect-with-the-azure-cloud-shell) from the Microsoft 365 admin center.

-## What do you need to know before you begin?

->[!NOTE]

-> The Azure Active Directory module is being replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).

-**Operating system**

-You must use a 64-bit version of Windows. Support for the 32-bit version of the Microsoft Azure Active Directory module for Windows PowerShell ended in 2014.

-You can use the following versions of Windows:

-

- - Windows 10, Windows 8.1, Windows 8, or Windows 7 Service Pack 1 (SP1)

-

- - Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1

->[!Note]

->For Windows 8.1, Windows 8, Windows 7 Service Pack 1 (SP1), Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 SP1, download and install the [Windows Management Framework 5.1](https://www.microsoft.com/download/details.aspx?id=54616).

-**PowerShell**

-

->[!Note]

->These procedures are intended for users who are members of a Microsoft 365 admin role. For more information, see [About admin roles](../admin/add-users/about-admin-roles.md).

-## Connect with the Azure Active Directory PowerShell for Graph module

-Commands in the Azure Active Directory PowerShell for Graph module have *AzureAD* in their cmdlet name. You can install the [Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2) module or [Azure PowerShell](/powershell/azure/install-az-ps).

-For procedures that require the new cmdlets in the Azure Active Directory PowerShell for Graph module, follow these steps to install the module and connect to your Microsoft 365 subscription.

-> [!Note]

-> For information about support for different versions of Windows, see [Azure Active Directory PowerShell for Graph module](/powershell/azure/active-directory/install-adv2) .

-These steps are required only one time on your computer. But you'll likely need to update the software periodically.

-

-1. Open a Windows PowerShell Command Prompt window.

-

-2. Run this command:

-

- ```powershell

- Install-Module -Name AzureAD

- ```

- By default, the PowerShell Gallery (PSGallery) isn't configured as a trusted repository for **PowerShellGet**. The first time you use the PSGallery, you'll see the following message:

-```console

-Untrusted repository

-You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the `Set-PSRepository` cmdlet.

-Are you sure you want to install the modules from 'PSGallery'?

-[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"):

-```

-Answer **Yes** or **Yes to All** to continue with the installation.

-3. Run this command to import the module:

-

- Import-Module AzureAD

-

-<a name='step-2-connect-to-azure-ad-for-your-microsoft-365-subscription'></a>

-### Step 2: Connect to Microsoft Entra ID for your Microsoft 365 subscription

-To connect to Microsoft Entra ID for your Microsoft 365 subscription with an account name and password or with multi-factor authentication, run one of these commands from a Windows PowerShell command prompt. (It doesn't have to be elevated.)

-| Office 365 cloud | Command |

-|:-|:--|

-| Office 365 Worldwide (+GCC) | `Connect-AzureAD` |

-| Office 365 operated by 21 Vianet | `Connect-AzureAD -AzureEnvironmentName AzureChinaCloud` |

-| Office 365 Germany | `Connect-AzureAD -AzureEnvironmentName AzureGermanyCloud` |

-| Office 365 U.S. Government DoD and Office 365 U.S. Government GCC High | `Connect-AzureAD -AzureEnvironmentName AzureUSGovernment` |

-|||

-In the **Sign into your account** dialog box, type your Microsoft 365 work or school account user name and password, and then select **OK**.

-If you're using multi-factor authentication, follow the instructions to provide additional authentication information, such as a verification code.

-After you connect, you can use the cmdlets for the [Azure Active Directory PowerShell for Graph module](/powershell/module/azuread).

-## Connect with the Microsoft Azure Active Directory module for Windows PowerShell

->[!Note]

->Cmdlets in the Microsoft Azure Active Directory module for Windows PowerShell have *Msol* in their name.

-PowerShell version 7 and later don't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with *Msol* in their name. For PowerShell version 7 and later, you must use the Microsoft Graph PowerShell SDK.

-PowerShell Core doesn't support the Microsoft Azure Active Directory module for Windows PowerShell module and cmdlets with *Msol* in their name. Run these cmdlets from Windows PowerShell.

-

-### Step 1: Install the required software

-These steps are required only one time on your computer. But you'll likely need to update the software periodically.

-

-1. If you're not running Windows 10, install the 32-bit version of the Microsoft Online Services Sign-in Assistant: [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi).

-

-2. Follow these steps to install and import the Microsoft Azure Active Directory module for Windows PowerShell:

-

- 1. Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator).

- 1. Run the **Install-Module MSOnline** command.

- 1. If you're prompted to install the NuGet provider, type **Y** and press Enter.

- 1. If you're prompted to install the module from PSGallery, type **Y** and press Enter.

- 1. Run the **Import-Module MSOnline** command to import the module.

-

-### Step 2: Connect to Microsoft Entra ID for your Microsoft 365 subscription

-To connect to Microsoft Entra ID for your Microsoft 365 subscription with an account name and password or with multi-factor authentication, run one of these commands from a Windows PowerShell command prompt. (It doesn't have to be elevated.)

-| Office 365 cloud | Command |

-|:-|:--|

-| Office 365 Worldwide (+GCC) | `Connect-MsolService` |

-| Office 365 operated by 21 Vianet | `Connect-MsolService -AzureEnvironment AzureChinaCloud` |

-| Office 365 Germany | `Connect-MsolService -AzureEnvironment AzureGermanyCloud` |

-| Office 365 U.S. Government DoD and Office 365 U.S. Government GCC High | `Connect-MsolService -AzureEnvironment USGovernment` |

-|||

-In the **Sign into your account** dialog box, type your Microsoft 365 work or school account user name and password, and then select **OK**.

-If you're using multi-factor authentication, follow the instructions to provide additional authentication information, such as a verification code.

-### How do you know it worked?

-If you don't get an error message, you connected successfully. For quick test, run a Microsoft 365 cmdlet, such as **Get-MsolUser**, and see the results.

-

-If you get an error message, check the following issues:

-

-

-

- - For Windows Server 2012 or Windows Server 2012 R2, see [Enable .NET Framework 3.5 by using the Add Roles and Features Wizard](/previous-versions/windows/it-pro/windows-8.1-and-8/dn482071(v=win.10)).

-

- - For Windows 7 or Windows Server 2008 R2, see [You can't open the Azure Active Directory module for Windows PowerShell](/troubleshoot/azure/active-directory/cant-open-aad-module-powershell).

- - For Windows 10, Windows 8.1, and Windows 8, see [Install the .NET Framework 3.5 on Windows 10, Windows 8.1, and Windows 8](/dotnet/framework/install/dotnet-35-windows-10).

-

-

- ```powershell

- (Get-Item C:\Windows\System32\WindowsPowerShell\v1.0\Modules\MSOnline\Microsoft.Online.Administration.Automation.PSModule.dll).VersionInfo.FileVersion

- ```

- If the version number returned is lower than *1.0.8070.2*, uninstall the Microsoft Azure Active Directory module for Windows PowerShell and install from [Step 1](#step-1-install-the-required-software), above.

-

- ```powershell

- (dir "C:\Program Files\WindowsPowerShell\Modules\MSOnline").Name

- ```

-## Connect with the Azure Cloud Shell

-To connect with and use the Azure Cloud Shell from the Microsoft 365 admin center, select the PowerShell window icon from the upper-right corner of the task bar. In the **Welcome to Azure Cloud Shell** pane, select **PowerShell**.

-You will need an active Azure subscription for your organization that is tied to your Microsoft 365 subscription. If you don't already have one, you can create one. Once you have an Azure subscription, a PowerShell window opens from which you can run PowerShell commands and scripts.

-For more information, see [Azure Cloud Shell](/azure/cloud-shell/overview).

-keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server

-| Microsoft Defender for Endpoint consolidated URL list (NEW - Streamlined) <br> | **IMPORTANT:** Currently in public preview. <br> Spreadsheet of consolidated URLs for streamlining device connectivity. <br>[Download the spreadsheet here.](https://go.microsoft.com/fwlink/?linkid=2248278)<br><br> **Applicable OS:** <br/>For complete list, see [streamlined connectivity](configure-device-connectivity.md#prerequisites). <br>- Windows 10 1809+<br>- Windows 11<br>- Windows Server 2019<br>- Windows Server 2022<br>- Windows Server 2012 R2, Windows Server 2016 R2 running [Defender for Endpoint modern unified solution](configure-server-endpoints.md) (requires installation through MSI). <br>- macOS supported versions running 101.23092.* + Insider Fast <br/>- Linux supported versions running 101.23092.* + Insider Fast<br><br> **Minimum component versions:**<br/>- Antimalware client: 4.18.2211.5<br/>- Engine: 1.1.19900.2<br/>- Security intelligence: 1.391.345.0<br/> - Xplat version: 101.23092.* + on InsiderFast (Beta)<br/>- Sensor/ KB version: >10.8040.*/ March 8, 2022+<br><br>If you are moving previously onboarded devices to the streamlined approach, see [Migrating device connectivity](migrate-devices-streamlined.md).

-description: Use group policy to deploy and manage on printer protection.

-# Deploy and manage using group policy

-**Applies to:**

-Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.

-## Licensing requirements

-Before you get started with Printer protection, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=3). To access and use Printer Protection through group policy, you must have Microsoft 365 E5.

-## Deploy using group policy

-1. Enable or Disable Device control:

- You can enable or disable Device control as follows:

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control**.

- - In the **Device Control** window, select **Enabled**.

- :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy. " lightbox="images/enable-rsac-gp.png":::

- The purpose of this configuration is to temporarily disable device control on specific machine.

- > [!NOTE]

- > If you don't see this group policy objects, you need to add the group policy administrative template. You can download administrative template (WindowsDefender.admx and WindowsDefender.admx) from [samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main).

- >

- > This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection.

-2. Set Default Enforcement:

- You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).

- For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked.

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Select Device Control Default Enforcement Policy**

- - In the **Select Device Control Default Enforcement Policy** pane, select **Default Deny**:

- :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy." lightbox="images/set-default-enforcement-deny-gp.png":::

- > [!NOTE]

- > This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well.

-3. Create one XML file for printer group(s):

- Use the properties in printer group to create one XML file for the printer group(s), save the XML file to network share, and define the setting as follows:

- - Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**.

- :::image type="content" source="images/define-device-control-policy-grps-gp.png" alt-text="Screenshot of Define device control policy groups." lightbox="images/define-device-control-policy-grps-gp.png":::

- - In the **Define device control policy groups** window, specify the network share file path containing the XML groups data.

- Take a look at the **Overview** > **Group**. You can create different group types. Here's one group example XML file for any network printer and USB printer and PDF/XPS printer group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Groups.xml).

- > [!NOTE]

- > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-4. Create one XML file for access policy rule(s):

- Use the properties in printer protection policy rule(s) to create an XML for each group's printer access policy rule, save the XML file to network share, and deliver the setting as follows:

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy rules**.

- :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules." lightbox="images/define-device-cntrl-policy-rules-gp.png":::

- - In the **Define device control policy rules** window, select **Enabled**, and enter the network share file path containing the XML rules data.

- Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's one [example XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Policies.xml).

- > [!NOTE]

- > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-5. Set location for a copy of the file (evidence):

- If you want to have a copy of the file (evidence) when Print access happens, set right **Options** in your Printer protection policy rule in the XML file, and then specify the location where system can save the copy.

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define Device Control evidence data remote location**.

- - In the **Define Device Control evidence data remote location** pane, select **Enabled**, and then specify the local or network share folder path.

- :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location." lightbox="images/evidence-data-remote-location-gp.png":::

-## Scenarios

-Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Printer Protection. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.

-### Scenario 1: Prevent print to all but allow print through specific approved USB printer when the machine is corporate network, VPN connected, or print through PDF/XPS file

-Allows to print only through approved USB printer when machine is in corporate network, VPN connected, or print through PDF/XPS file.

-You can download the files here, [Printer Protection Samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Printer%20Protection%20Samples/Group%20Policy).

-1. Create any printer group and allowed-USB printer group and allowed-file printer group.

- 1. Group 1: Any printer group.

- :::image type="content" source="media/screenshot-of-removable-storage.png" alt-text="This is the screenshot of removable of storage." lightbox="media/screenshot-of-removable-storage.png":::

- 2. Group 2: Allowed-USB printer group.

- :::image type="content" source="media/screenshot-of-approved-usbs.png" alt-text="This is the screenshot of approved USBs." lightbox="media/screenshot-of-approved-usbs.png":::

- 3. Group 2: Allowed PDF/XPS file printer group: following PrinterConnectionId is used, but if you want to only allow PDF, FriendlyNameId with 'Microsoft Print to PDF' is recommended.

- :::image type="content" source="images/group-3.png" alt-text="This is group 3policy." lightbox="images/group-3.png":::

- Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Groups.xml). See step 3 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration.

- > [!TIP]

- > Replace `&` with `&amp;` in the value.

-2. Create policy.

- 1. Create Allow and Audit policy for allowed-file printer group.

- :::image type="content" source="media/block-write-execute-access.png" alt-text="This is block write access screenshot." lightbox="media/block-write-execute-access.png":::

- 2. Create policy to allow authorized USB printer only when the machine is Corporate Network OR VPN connected.

- :::image type="content" source="media/audit-write.png" alt-text="This is the default audit write access screenshot." lightbox="media/audit-write.png":::

- 3. Create Default Deny custom policy for any other printers.

- :::image type="content" source="images/create-default.png" alt-text="This is create default screenshot." lightbox="images/create-default.png":::

- Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Group%20Policy/Printer_Policies.xml). See step 4 from the [Deploy using group policy](deploy-and-manage-using-group-policy.md) section to deploy this configuration.

-description: Use Intune OMA-URI and Intune user interface to deploy and manage on printer protection.

-# Deploy and manage printer protection using Intune

-**Applies to:**

-Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.

-## Licensing requirements

-Before you get started with Printer Protection, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Printer Protection, you must have Microsoft 365 E3.

-### Permission

-For policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions.

-## Deploy using Intune OMA-URI

-Go to the Microsoft Intune admin center (<https://endpoint.microsoft.com/>) > **Devices** > **Configuration profiles** > **Create profile** > **Platform: Windows 10 and later, Profile type: Templates** > **Custom** > **Create**.

-1. Enable or Disable Device control (Optional):

- - Under **Custom**, enter the **Name** and **Description** and select **Next**.

- - In the **Configuration settings**, select **Add**.

- - In the **Add Row** pane, specify the following settings:

- - **Name** as **Enable Device Control**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled`

- - **Data Type** as **Integer**

- - **Value** as **1**

- `Disable: 0`

- `Enable: 1`

- - Select **Save**.

- :::image type="content" source="media/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy." lightbox="media/enable-rsac.png":::

- The purpose of this configuration is to temporarily disable Device control on specific machine.

- > [!NOTE]

- > This configuration controls both [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer Protection.

-2. Set Default Enforcement:

- You can set the default access (Deny or Allow) for all Device Control features (`RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`).

- - In the **Add Row** pane, specify the following settings:

- - **Name** as **Default Deny**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`

- - **Data Type** as **Integer**

- - **Value** as **1** or **2**

- `DefaultEnforcementAllow = 1`

- `DefaultEnforcementDeny = 2`

- - Select **Save**.

- :::image type="content" source="media/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny." lightbox="media/default-deny.png":::

- > [!NOTE]

- > This configuration controls both Removable storage access control [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md) and Printer protection. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well.

-3. Create one XML file for printer group(s):

- You can create a removable storage group for each group as follows:

- - In the **Add Row** pane, enter:

- - **Name** as **Any Removable Storage Group**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData`

- - **Data Type** as **String (XML file)**

- - **Custom XML** as selected XML file

- Take a look at the **Overview** > **Group**. You can create different group types. Here's one group example XML file for any network printer and USB printer and PDF/XPS printer group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Any%20printer%20group.xml).

- :::image type="content" source="media/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group." lightbox="media/any-removable-storage-group.png":::

- > [!NOTE]

- > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-4. Create one XML file for access policy rule(s):

- You can create a policy and apply it to related removable storage group as follows:

- - In the **Add Row** pane, enter:

- - **Name** as **Allow Read Activity**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData`

- - **Data Type** as **String (XML file)**

- - **Custom XML** as selected XML file

- Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's one [example XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Allow%20Authorized%20USB%20Printer.xml).

- :::image type="content" source="media/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy." lightbox= "media/allow-read-activity.png":::

- > [!NOTE]

- > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-5. Set location for a copy of the file (Optional):

- If you want to have a copy of the file (evidence) when Print access happens, set right **Options** in your Printer protection policy rule in the XML file, and then specify the location where system can save the copy.

- - In the **Add Row** pane, enter:

- - **Name** as **Evidence folder location**

- - **OMA-URI** as `./Device/Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation`

- - **Data Type** as **String**

- :::image type="content" source="media/device-control-oma-uri-edit-row.png" alt-text="Set location for file evidence." lightbox="media/device-control-oma-uri-edit-row.png":::

-## Scenarios (default enforcement)

-Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Printer Protection. In the following samples, **Default Enforcement** hasn't been used because the **Default Enforcement** will apply to both the removable storage and the printer.

-### Scenario 1: Prevent print to all but allow print through specific approved USB printer when the machine is Corporate Network OR VPN connected or print through PDF/XPS file

-Allows to print only through approved USB printer when machine is in corporate network, VPN connected, or print through PDF/XPS file.

-You can download the files here, [Printer Protection Samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Printer%20Protection%20Samples/Intune%20OMA-URI).

-1. Create any printer group and allowed-USB printer group and allowed-file printer group.

- 1. Group 1: Any printer group

- :::image type="content" source="./media/any-printer-group-xml1.png" alt-text="A screenshot of Any printer group." lightbox= "./media/any-printer-group-xml1.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Any%20printer%20group.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

- 2. Group 2: Allowed-USB printer group

- :::image type="content" source="media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" alt-text="A screenshot of approved USBs." lightbox= "media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Authorized%20USB%20Printer.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

- 3. Group 3: Allowed PDF/XPS file printer group: following PrinterConnectionId is used, but if you want to only allow PDF, FriendlyNameId with 'Microsoft Print to PDF' is recommended.

- :::image type="content" source="images/allowed-pdf.png" alt-text="This is allowed pdf."lightbox="images/allowed-pdf.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/PDF_XPS%20Printer.xml). See step 3 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

- > [!TIP]

- > Replace `&` with `&amp;` in the value.

-2. Create policy.

- 1. Create **Allow** and **Audit** policy for allowed-file printer group.

- :::image type="content" source="media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png" alt-text="A screenshot of policy 1." lightbox= "media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Allow%20PDF_XPS%20Printer.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

- 2. Create policy to allow authorized USB printer only when the machine is Corporate Network OR VPN connected.

- :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2." lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Allow%20Authorized%20USB%20Printer.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

- 3. Create Default Deny custom policy for any other printers.

- :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2." lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Printer%20Protection%20Samples/Intune%20OMA-URI/Default%20Deny%20-%20custom%20policy.xml). See step 4 from the [Deploy Printer Protection](deploy-and-manage-using-intune.md) section to deploy the configuration.

-description: Use group policy to deploy and manage removable storage access control.

-# Deploy and manage Removable Storage Access Control using group policy

-**Applies to:**

-> [!NOTE]

-> The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806).

-The Removable Storage Access Control feature enables you to apply a policy by using group policy to either user or device, or both.

-## Device Control Removable Storage Access Control policies

-You can use the following properties to create a removable storage group.

-> [!NOTE]

-> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-## Licensing requirements

-Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control through group policy, you must have a standalone Microsoft Defender for Endpoint Plan 1 or Microsoft 365 E3 which includes Microsoft Defender for Endpoint Plan 1 or Microsoft 365 E5 which includes Microsoft Defender for Endpoint Plan 1 and 2.

-## Deploy using group policy

-1. Enable or Disable Removable Storage Access Control (Optional):

- You can enable or disable Device control as follows:

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control**.

- - In the **Device Control** window, select **Enabled**.

- :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy " lightbox="images/enable-rsac-gp.png":::

- > [!NOTE]

- > If you don't see this group policy objects, you need to add the group policy administrative template. You can download administrative template (WindowsDefender.adml and WindowsDefender.admx) from [mdatp-devicecontrol / Removable Storage Access Control Samples](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) on GitHub.

-2. Set Default Enforcement:

- You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).

- For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well.

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control** > **Select Device Control Default Enforcement**

- - In the **Select Device Control Default Enforcement** pane, select **Default Deny**:

- :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy" lightbox="images/set-default-enforcement-deny-gp.png":::

-3. Create one XML file for removable storage group(s):

- Use the properties in removable storage group to create an XML file for the Removable storage group(s), save the XML file to network share, and define the setting as follows:

- - Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**.

- :::image type="content" source="images/define-device-control-policy-grps-gp.png" alt-text="Screenshot of Define device control policy groups" lightbox="images/define-device-control-policy-grps-gp.png":::

- - In the **Define device control policy groups** window, specify the network share file path containing the XML groups data.

- Take a look at the **Overview** > **Removable storage group**. You can create different group types. Here's one group example XML file for any removable storage and CDROM and Windows portable devices and approved USBs group: [XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml)

-

- > [!NOTE]

- > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-4. Create one XML file for access policy rule(s):

- Use the properties in removable storage access policy rule(s) to create an XML for each group's removable storage access policy rule, save the XML file to network share, and deliver the setting as follows:

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy rules**.

- :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules" lightbox="images/define-device-cntrl-policy-rules-gp.png":::

- - In the **Define device control policy rules** window, select **Enabled**, and enter the network share file path containing the XML rules data.

- Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's one [example XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Policies.xml).

- > [!NOTE]

- > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-5. Set location for a copy of the file (evidence):

- If you want to have a copy of the file (evidence) when Write access happens, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define Device Control evidence data remote location**.

- - In the **Define Device Control evidence data remote location** pane, select **Enabled**, and then specify the local or network share folder path.

- :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location." lightbox="images/evidence-data-remote-location-gp.png":::

-## Scenarios

-Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.

-### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs

-For this scenario, you need to create two groups - one group for any removable storage and another group for approved USBs. You also need to create two policies - one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group.

-1. Create groups

- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

- :::image type="content" alt-text="A screenshot of removable storage" source="https://user-images.githubusercontent.com/81826151/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::

- 2. Group 2: Approved USBs based on device properties.

- :::image type="content" alt-text="A screenshot of approved USBs" source="https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" lightbox="https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png":::

-

- Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml). See step 3 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.

- > [!TIP]

- > Replace `&` with `&amp;` in the value.

-2. Create policy

- 1. Policy 1: Block Write and Execute access for any removable storage group but allow approved USBs.

- :::image type="content" alt-text="A screenshot of block write and execute access" source="https://user-images.githubusercontent.com/81826151/188237490-d736ace1-4912-4788-9e94-3fc506692a41.png":::

- 2. Policy 2: Audit Write and Execute access for allowed USBs.

- :::image type="content" alt-text="A screenshot of audit write and execute access" source="https://user-images.githubusercontent.com/81826151/188237598-b28dd534-9ea4-4cdd-832b-afff50f9897b.png":::

- What does '54' mean in the policy? It's 18 + 36 = 54:

- - Write access: disk level 2 + file system level 16 = 18.

- - Execute: disk level 4 + file system level 32 = 36.

- Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Scenario%201%20GPO%20Policy%20-%20Prevent%20Write%20and%20Execute%20access%20to%20all%20but%20allow%20specific%20approved%20USBs.xml). See step 4 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.

-### Scenario 2: Audit Write and Execute access for all but block specific blocked USBs

-For this scenario, you need to create two groups - one group for any removable storage and another group for blocked USBs. You also need to create two policies - one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group.

-1. Create groups

- 1. Group 1: Any removable storage, CD/DVD, and windows portable devices.

- :::image type="content" alt-text="A screenshot of removable storage in groups" source="https://user-images.githubusercontent.com/81826151/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::

- 2. Group 2: Blocked USBs based on device properties.

- :::image type="content" alt-text="A screenshot of blocked USBs" source="https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" lightbox="https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png":::

-

- Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml). See step 3 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.

- > [!TIP]

- > Replace `&` with `&amp;` in the value.

-2. Create policy

- 1. Policy 1: Block Write and Execute access for all but block specific unapproved USBs.

- :::image type="content" alt-text="A screenshot of specific unapproved USBs" source="https://user-images.githubusercontent.com/81826151/188239025-218a1985-b198-4f7e-b323-b4b6fb7e274e.png" lightbox="https://user-images.githubusercontent.com/81826151/188239025-218a1985-b198-4f7e-b323-b4b6fb7e274e.png":::

- 2. Policy 2: Audit Write and Execute access for others.

- :::image type="content" alt-text="A screenshot of audit write and execute access in group policy" source="https://user-images.githubusercontent.com/81826151/188239144-3e6a2781-6927-487a-aa01-498a0904ad98.png" lightbox="https://user-images.githubusercontent.com/81826151/188239144-3e6a2781-6927-487a-aa01-498a0904ad98.png":::

- What does '54' mean in the policy? It's 18 + 36 = 54:

- - Write access: disk level 2 + file system level 16 = 18.

- - Execute: disk level 4 + file system level 32 = 36.

- Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Scenario%202%20GPO%20Policy%20-%20Audit%20Write%20and%20Execute%20access%20to%20all%20but%20block%20specific%20unapproved%20USBs.xml). See step 4 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.

-### Scenario 3: Block read and execute access to specific file extension

-For this scenario, you need to create two groups: one removable storage group for any removable storage and another group for unallowed file extensions. You also need to create one policy - deny read and execute access to any file under the allowed file extension group for defined removable storage group.

-1. Create groups

- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

- 2. Group 2: Unallowed file extensions.

-

- Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Block%20Read%20and%20Write%20access%20to%20specific%20file%20_Groups.xml). See step 3 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.

- > [!TIP]

- > Explicitly mark the Type attribute on the group as **File**

- 2. Policy 2: Deny read and execute access to any file under the allowed file extension group for defined removable storage group.

- :::image type="content" alt-text="image" source="https://user-images.githubusercontent.com/81826151/200713006-c0d39e2b-9acc-4522-9f88-e064eeb3a4ae.png":::

-

- What does '40' mean in the policy? It's 8 + 32 = 40:

- - only need to restrict file system level access

- Although this case only has one policy, make sure put it under PolicyRules [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Block%20Read%20and%20Write%20access%20to%20specific%20file%20_Policy.xml). See step 4 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.

-description: Use Intune OMA-URI and Intune user interface to deploy and manage removable storage access control.

-# Deploy and manage Removable Storage Access Control using Intune

-**Applies to:**

-> [!NOTE]

-> The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806).

-The Removable Storage Access Control feature enables you to apply policy by using OMA-URI or by using Intune user interface to either user or device, or both.

-|Capability|Intune OMA-URI|Intune user interface|

-||||

-|Enable or Disable Device control|supported|not supported|

-|Set Default Enforcement|supported|not supported|

-|Create Removable storage group|supported|supported|

-|Control Disk level access|supported|supported|

-|Control File level access|supported|not supported|

-|Set location for a copy of the file|supported|not supported|

-|File Parameter|supported|not supported|

-|Network location|supported|not supported|

-## Licensing requirements

-Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3.

-### Permission

-For policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions.

-## Deploy Removable Storage Access Control by using Intune OMA-URI

-Go to the Microsoft Intune admin center (<https://endpoint.microsoft.com/>) > **Devices** > **Configuration profiles** > **Create profile** > **Platform: Windows 10 and later, Profile type: Templates** > **Custom** > **Create**.

-1. Enable or Disable Device control (Optional):

- - Under **Custom**, enter the **Name** and **Description** and select **Next**.

- - In the **Configuration settings**, select **Add**.

- - In the **Add Row** pane, specify the following settings:

- - **Name** as **Enable Device Control**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled`

- - **Data Type** as **Integer**

- - **Value** as **1**

- `Disable: 0`

- `Enable: 1`

- - Select **Save**.

- :::image type="content" source="media/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy" lightbox="media/enable-rsac.png":::

-2. Set Default Enforcement (Optional):

- You can set the default access (Deny or Allow) for all Device Control features (`RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`).

- To block a specific removable storage class but allow specific media, you can use '`IncludedIdList` a group through `PrimaryId` and `ExcludedIDList` a group through `DeviceId`/`HardwareId`/etc.' For more information, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md).

- For example, you can have either a **Deny** or an **Allow** policy for `RemovableMediaDevices`, but not for `CdRomDevices` or `WpdDevices`. You can set **Default Deny** through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` will be blocked. If you only want to manage storage, make sure to create an **Allow** policy for your printer; otherwise, this default enforcement will be applied to printers as well.

- - In the **Add Row** pane, specify the following settings:

- - **Name** as **Default Deny**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`

- - **Data Type** as **Integer**

- - **Value** as **1** or **2**

- `DefaultEnforcementAllow = 1`

- `DefaultEnforcementDeny = 2`

- - Select **Save**.

- :::image type="content" source="media/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny" lightbox="media/default-deny.png":::

-3. Create one XML file for each group:

- You can create a removable storage group for each group as follows:

- - In the **Add Row** pane, enter:

- - **Name** as **Any Removable Storage Group**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData`

- - **Data Type** as **String (XML file)**

- - **Custom XML** as selected XML file

- Take a look at the **Overview** -> **Removable storage group**, you can create different group types. Here's a [group example XML file for any removable storage and CD-ROM and Windows portable devices](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml).

-

- To get the GroupId, sign in to the **Microsoft Intune admin center** and select **Groups** > **Copy the Object ID**.

- :::image type="content" source="media/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group." lightbox="media/any-removable-storage-group.png":::

- > [!NOTE]

- > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-4. Create one XML file for each access control or policy rule:

- You can create a policy and apply it to related removable storage group as follows:

- - In the **Add Row** pane, enter:

- - **Name** as **Allow Read Activity**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData`

- - **Data Type** as **String (XML file)**

- - **Custom XML** as selected XML file

- Take a look at the **Overview** -> **Access policy rule**, you can use **Parameters** to set condition for specific Entry. Here's a [group example XML file for Allow Read access for each removable storage](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml).

- :::image type="content" source="media/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy" lightbox= "media/allow-read-activity.png":::

- > [!NOTE]

- > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-5. Set location for a copy of the file (Optional):

- If you want to have a copy of the file (evidence) when Write access happens, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.

- - In the **Add Row** pane, enter:

- - **Name** as **Evidence folder location**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation`

- - **Data Type** as **String**

- :::image type="content" source="media/device-control-oma-uri-edit-row.png" alt-text="Set location for file evidence" lightbox="media/device-control-oma-uri-edit-row.png":::

-## Scenarios (default enforcement)

-Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.

-### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs

-For this scenario, you need to create two groups: one group for any removable storage and another group for approved USBs. You also need to create two policies: one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group.

-1. Create groups.

- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

- :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot showing removable storage" lightbox= "media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

- 2. Group 2: Approved USBs based on device properties.

- :::image type="content" source="media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" alt-text="A screenshot of approved USBs" lightbox= "media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Approved%20USBs%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

- > [!TIP]

- > Replace `&` with `&amp;` in the value in the XML file.

-2. Create policy

- 1. Policy 1: Block Write and Execute access for any removable storage group but allow approved USBs.

- :::image type="content" source="media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png" alt-text="A screenshot of policy 1" lightbox= "media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

- 2. Policy 2: Audit Write and Execute access for allowed USBs.

- :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2" lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png":::

- What does `54` mean in the policy? It's `18 + 36 = 54`.

- - Write access: disk level 2 + file system level 16 = 18.

- - Execute: disk level 4 + file system level 32 = 36.

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Audit%20Write%20and%20Execute%20access%20to%20aproved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

-### Scenario 2: Audit Write and Execute access for all but block specific blocked USBs

-For this scenario, you need to create two groups: one group for any removable storage and another group for blocked USBs. You also need to create two policies: one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group.

-1. Create groups

- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

- :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot of group 1" lightbox="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

- 2. Group 2: Unapproved USBs based on device properties.

- :::image type="content" source="media/188243875-0693ebcf-00c3-45bd-afd3-57a79df9dce6.png" alt-text="A screenshot of group 2" lightbox= "media/188243875-0693ebcf-00c3-45bd-afd3-57a79df9dce6.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Unapproved%20USBs%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

- > [!TIP]

- > Replace `&` with `&amp;` in the value in the XML file.

-2. Create policy

- 1. Policy 1: Block Write and Execute access for all but block specific unapproved USBs.

- :::image type="content" source="media/188244024-62355ded-353c-4d3a-ba61-4520d48f5a18.png" alt-text="A screenshot of policy for blocking unapproved USBs" lightbox= "media/188244024-62355ded-353c-4d3a-ba61-4520d48f5a18.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%202%20Audit%20Write%20and%20Execute%20access%20to%20all%20but%20block%20specific%20unapproved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

- 2. Policy 2: Audit Write and Execute access for others.

- :::image type="content" source="media/188244203-36c869b6-9330-4e2a-854b-494c342bb77d.png" alt-text="A screenshot of audit write and execute access" lightbox= "media/188244203-36c869b6-9330-4e2a-854b-494c342bb77d.png":::

- What does `54` mean in the policy? It's `18 + 36 = 54`.

- - Write access: disk level 2 + file system level 16 = 18.

- - Execute: disk level 4 + file system level 32 = 36.

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%202%20Audit%20Write%20and%20Execute%20access%20to%20others.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

-### Scenario 3: Block read and execute access to specific file extension

-For this scenario, you need to create two groups: one removable storage group for any removable storage and another group for unallowed file extensions. You also need to create one policy: deny read and execute access to any file under the unallowed file extension group for a defined removable storage group.

-1. Create groups.

- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.

- :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot of group 1" lightbox="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

- 2. Group 2: Unallowed file extensions.

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Unauthorized%20File%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

- > [!TIP]

- > Explicitly mark the Type attribute on the group as **File**

- 3. Policy 2: Deny read and execute access to any file under the allowed file extension group for defined removable storage group.

- :::image type="content" source="media/200713006-c0d39e2b-9acc-4522-9f88-e064eeb3a4ae.png" alt-text="Screenshot of OMA-URI settings." lightbox="media/200713006-c0d39e2b-9acc-4522-9f88-e064eeb3a4ae.png":::

- What does `40` mean in the policy? It's `8 + 32 = 40`.

- - only need to restrict file system level access

- Here's the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Deny%20Read%20and%20Write%20access%20to%20specific%20files.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

-## Deploy Removable Storage Access Control by using Intune user interface

-This capability is available in the Microsoft Intune admin center (<https://endpoint.microsoft.com/>).

-Go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform: Windows 10 and later** with **Profile: Device Control**.

-## Scenarios (USB devices)

-Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. In the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.

-### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs

-For this scenario, you need to create two groups: one group for any removable storage and another group for approved USBs. You also need to create two policies: one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group.

-1. To set up the groups you'll need, go to **Endpoint Security** \> **Attack Surface Reduction** \> **Reusable settings** \> **Add**. For more details, see **DescriptorIdList** on the [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](device-control-removable-storage-access-control.md#group).

- 1. For group 1, configure any removable storage, CD/DVD, and Windows portable devices, as shown in the following screenshots:

- :::image type="content" source="media/208774115-ab503406-a3c6-4611-b5fa-9e837e731898.png" alt-text="Screenshot showing removable device settings." lightbox="media/208774115-ab503406-a3c6-4611-b5fa-9e837e731898.png":::

- :::image type="content" source="media/208774136-b63b2268-926f-482a-a509-aab7f8efba02.png" alt-text="Screenshot showing additional removable device settings." lightbox="media/208774136-b63b2268-926f-482a-a509-aab7f8efba02.png":::

- 2. For group 2, choose **+ Add** to create another group for approved USBs, based on device properties, as shown in the following screenshot:

- :::image type="content" source="media/208774190-b700f7cb-0d0e-4d27-955b-23be9c0cb7b5.png" alt-text="Screenshot showing additional group for approved USB devices." lightbox="media/208774190-b700f7cb-0d0e-4d27-955b-23be9c0cb7b5.png":::

-2. To set up your policy, go to **Endpoint Security** \> **Attack Surface Reduction** \> **Create Policy**.

-3. Choose **Platform**: **Windows 10 and later** with **Profile: Device Control**. Select **Device Control**: **Configured**.

- 1. Set up Policy 1: Audit Write and Execute access for allowed USBs.

- - Choose **+ Set reusable settings** for **Included ID** and choose **Select**, as shown in the following screenshot:

- :::image type="content" source="media/208774439-b46795ce-e9c0-41ec-a3f7-26feefa6b2e7.png" alt-text="Screenshot showing auditing settings for policy 1." lightbox="media/208774439-b46795ce-e9c0-41ec-a3f7-26feefa6b2e7.png":::

- - Choose **+ Edit Entry** for **Entry**, as shown in the following screenshot:

- :::image type="content" source="media/208774532-d8d3f0a0-5ce3-401b-bb8b-2b75383d6cf7.png" alt-text="Screenshot showing auditing settings being edited." lightbox="media/208774532-d8d3f0a0-5ce3-401b-bb8b-2b75383d6cf7.png":::

- 2. Set up Policy 2. Choose **+ Add** to create another policy for **Block Write and Execute access for any removable storage group**.

- - Choose **+ Set reusable settings** for **Included ID** and choose **Select**, as shown in the following screenshot:

- :::image type="content" source="media/208774632-5a568173-c6af-4a64-8236-e0ec5f835147.png" alt-text="Screenshot showing the ID for reusable settings." lightbox="media/208774632-5a568173-c6af-4a64-8236-e0ec5f835147.png":::

- - Choose **+ Set reusable settings** for **Excluded ID** to exclude authorized USBs, and then choose **Select**, as shown in the following screenshot:

- :::image type="content" source="media/208774743-6b584ac3-3373-4650-9af8-d340ffa9ceae.png" alt-text="Screenshot showing excluded ID settings." lightbox="media/208774743-6b584ac3-3373-4650-9af8-d340ffa9ceae.png":::

- - Choose **+ Edit Entry** for **Entry**, as shown in the following screenshot:

- :::image type="content" source="media/208774780-39818049-07ee-4bee-824c-25a7cf235227.png" alt-text="Screenshot showing editing an entry for policy 2." lightbox="media/208774780-39818049-07ee-4bee-824c-25a7cf235227.png":::

-### Scenario 2: Audit Write and Execute access for all but block specific blocked USBs

-For this scenario, you need to create two groups: one group for any removable storage, and another group for blocked USBs. You also need to create two policies: one policy to audit Write and Execute access for any removable storage group, and the other policy to deny the blocked USBs group.

-1. To create groups, go to **Endpoint Security** > **Attack Surface Reduction** > **Reusable settings** > **Add**. For more details, see **DescriptorIdList** on the [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](device-control-removable-storage-access-control.md#group).

- 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices, as shown in the following screenshots:

- :::image type="content" source="media/208774115-ab503406-a3c6-4611-b5fa-9e837e731898.png" alt-text="Screenshot showing removable storage example." lightbox="media/208774115-ab503406-a3c6-4611-b5fa-9e837e731898.png":::

- And here's another example:

- :::image type="content" source="media/208774136-b63b2268-926f-482a-a509-aab7f8efba02.png" alt-text="Screenshot showing a second example of removable storage." lightbox="media/208774136-b63b2268-926f-482a-a509-aab7f8efba02.png":::

-2. To create your policy, go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform**: **Windows 10 and later** with **Profile: Device Control**. Select **Device Control**: **Configured**.

- 1. Policy 1: Block unauthorized USBs. Choose **+ Set reusable settings** for **Included ID** and choose **Select**, as shown in the following screenshot:

- :::image type="content" source="media/208775137-c5a98123-b488-4e1a-9695-9b93b1d8f45b.png" alt-text="Screenshot showing the included ID for settings." lightbox="media/208775137-c5a98123-b488-4e1a-9695-9b93b1d8f45b.png":::

- Choose **+ Edit Entry** for **Entry**, as shown in the following screenshot:

- :::image type="content" source="media/208775203-439bb8b5-e45a-47a7-9828-51ea9d5cfe95.png" alt-text="Screenshot showing Entry being edited." lightbox="media/208775203-439bb8b5-e45a-47a7-9828-51ea9d5cfe95.png":::

- 2. Policy 2: Choose **+ Add** to create another policy for 'Audit Write and Execute access for any removable storage group'. Choose **+ Set reusable settings** for **Included ID**, and then choose **Select**, as shown in the following screenshot:

- :::image type="content" source="media/208775292-485a13e4-533c-4efc-97a4-611786d02fd1.png" alt-text="Screenshot showing reusable settings." lightbox="media/208775292-485a13e4-533c-4efc-97a4-611786d02fd1.png":::

- Choose **+ Set reusable settings** for **Excluded ID** to exclude authorized USBs, and then choose **Select**, as shown in the following screenshot:

- :::image type="content" source="media/208775330-79c69f54-513e-49b2-8b9f-2fdf8293ee35.png" alt-text="Screenshot showing excluded ID in reusable settings." lightbox="media/208775330-79c69f54-513e-49b2-8b9f-2fdf8293ee35.png":::

- Choose **+ Edit Entry** for **Entry**, as shown in the following screenshot:

- :::image type="content" source="media/208775366-f2cafb54-eb63-4bcd-b0fe-880f3cba2c1b.png" alt-text="Screenshot showing edit mode for an entry." lightbox="media/208775366-f2cafb54-eb63-4bcd-b0fe-880f3cba2c1b.png":::

-description: A walk-through about Microsoft Defender for Endpoint

-# Microsoft Defender for Endpoint Device Control Removable Storage Access Control

-**Applies to:**

-> [!NOTE]

-> The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806).

-## Overview

-Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage with or without exclusions.

-|Privilege|Permission|

-|||

-|Access|Read, Write, Execute|

-|Action Mode|Audit, Allow, Prevent|

-|CSP Support|Yes|

-|GPO Support|Yes|

-|User-based Support|Yes|

-|Machine-based Support|Yes|

-### Prepare your endpoints

-Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices that have the anti-malware client version **4.18.2103.3 or later**.

-> [!NOTE]

-> None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status.

-## Device Control Removable Storage Access Control properties

-The Removable Storage Access Control includes Removable storage group creation and access policy rule creation:

-Here are the properties you can use when you create the group and policy XML files.

-### Group

-Group includes following types:

-The following table lists the properties you can use in **Group**:

-|Property Name|Description|Options|

-||||

-|**GroupId**|GUID, a unique ID, represents the group and will be used in the policy.| You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).|

-|**Type**|The type of the group. |**File** <p>**Device** <p> **Note**: Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File". |

-|**DescriptorIdList**|List the device properties you want to use to cover in the group. All properties are case sensitive. |**PrimaryId**: The Primary ID includes `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`. <p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. It's the `Device instance path` in the Device Manager. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`. <p>**DeviceId**: To transform `Device instance path` to Device ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07` <p>**HardwareId**: A string that identifies the device in the system, for example, `USBSTOR\DiskGeneric_Flash_Disk___8.07`. It's `Hardware Ids` in the Device Manager. <br>**Note**: Hardware ID isn't unique; different devices might share the same value.<p>**FriendlyNameId**: It's a string attached to the device, for example, `Generic Flash Disk USB Device`. It's the `Friendly name` in the Device Manager. <p>**BusId**: For example, USB, SCSI <p>**SerialNumberId**: You can find SerialNumberId from `Device instance path` in the Device Manager, for example, `03003324080520232521` is SerialNumberId in USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\\`03003324080520232521`&0 <p>**VID_PID**: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform `Device instance path` to Vendor ID and Product ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <br>`0751_55E0`: match this exact VID/PID pair<br>`_55E0`: match any media with PID=55E0 <br>`0751_`: match any media with VID=0751 <p> **NameId**: The name of the Network or VPN Connection, support wildcard and only applicable for Network type or VPN Connection type Group. <p> **NetworkCategoryId**: only applicable for Network type Group and includes `Public`, `Private`, `DomainAuthenticated`. <p> **NetworkDomainId**: only applicable for Network type Group and includes `NonDomain`, `Domain`, `DomainAuthenticated`. <p> **VPNConnectionStatusId**: only applicable for VPN Connection type Group and includes `Connected`, `Disconnected`. <p> **VPNServerAddressId**: string, value of VPNServerAddress, support wildcard and only applicable for VPN Connection type Group. <p> **VPNDnsSuffixId**: string, value of VPNDnsSuffix, support wildcard and only applicable for VPN Connection type Group. <p> **PathId**: string, value of file path or name, support wildcard and only applicable for File type Group. <p> **Note**: See [How do I find the media property in the Device Manager?](device-control-removable-storage-access-control-faq.md#how-do-i-find-the-media-property-in-the-device-manager) to understand how to find the property in Device Manager.|

-|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. <p> **MatchExcludeAll**: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value. <p> **MatchExcludeAny**: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.|

-### Access policy rule

-Every access policy rule called **PolicyRule** can be used to define access restriction for each group through multiple **Entry**.

-The following table lists the properties you can use in **PolicyRule**:

-| Property Name | Description | Options |

-||||

-| **PolicyRule Id** | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).|

-| **Name** | String, the name of the policy and will display on the toast based on the policy setting. | |

-| **IncludedIdList** | The group(s) that the policy will be applied to. If multiple groups are added, **the media must be a member of each group in the list** to be included.|The Group ID/GUID must be used at this instance. <p> The following example shows the usage of GroupID: <p> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>` |

-| **ExcludedIDList** | The group(s) that the policy won't be applied to. If multiple groups are added, **the media must be a member of a group in the list** to be excluded. | The Group ID/GUID must be used at this instance. |

-| **Entry** | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.| See Entry properties table below to get details.|

-The following table lists the properties you can use in **Entry**:

-| Property Name | Description | Options |

-||||

-| **Entry Id** | GUID, a unique ID, represents the entry and will be used in the reporting and troubleshooting.| You can generate the ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).|

-| **Type** | Defines the action for the removable storage groups in IncludedIDList. <p>Enforcement: Allow or Deny <p>Audit: AuditAllowed or AuditDenied<p> | Allow<p>Deny <p>AuditAllowed: Defines notification and event when access is allowed <p>AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.<p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**. |

-| **Sid** | Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Microsoft Entra object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine. | |

-| **ComputerSid** | Local computer Sid or computer Sid group or the Sid of the AD object or the Object Id of the Microsoft Entra object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry. | |

-| **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system won't send event. <p>8: create a copy of the file as evidence, and fire "RemovableStorageFileEvent" event, this has to be used together with 'Set location for a copy of the file' setting through Intune or Group Policy. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system won't show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event |

-|AccessMask|Defines the access. | **Disk level access**: <p>1: Read <p>2: Write <p>4: Execute <p>**File system level access**: <p>8: File system Read <p>16: File system Write <p>32: File system Execute <p><p>You can have multiple access by performing binary OR operation, for example, the AccessMask for Read and Write and Execute will be 7; the AccessMask for Read and Write will be 3.|

-|Parameters|Condition for this Entry, for example Network condition. | Can add groups (non Devices type) or even put Parameters into Parameters. See Parameters properties table below to get details.|

-The following table lists the properties you can use in **Parameters**:

-| Property Name | Description | Options |

-||||

-|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. <p> **MatchExcludeAll**: The attributes under the DescriptorIdList will be And relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system will do the enforcement as long as the USB doesn't have both identical DeviceID and InstanceID value. <p> **MatchExcludeAny**: The attributes under the DescriptorIdList will be Or relationship, any items that do NOT meet will be covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system will do the enforcement as long as the USB doesn't have either an identical DeviceID or InstanceID value.|

-| **File** <p> **VPN Connection** <p> **Network** | You can use one or multiple File or Network or VPN Connection group(s) as parameter for this Entry, and then define MatchType for the relationship between those groups.|

-| **Parameters** | You can embed Parameters inside Parameters with MatchType.|

-For specific guidance, see:

-| Article | Description |

-|||

-| [Deploying Removable Storage Access Control by using Group Policy](deploy-manage-removable-storage-group-policy.md) | Use Group Policy to deploy the policy.|

-| [Deploying Removable Storage Access Control by using Intune OMA-URI](deploy-manage-removable-storage-intune.md) | Use Intune to deploy the policy.|

-## View data in Microsoft Defender for Endpoint

-The [Microsoft Defender portal](https://security.microsoft.com/advanced-hunting) shows events triggered by the Device Control Removable Storage Access Control. To access the Microsoft 365 security, you must have the following subscription:

-

-If `AuditAllowed` or `AuditDenied` is configured in your policy and **Send event** is selected in **Options**, an event will be sent to Advanced hunting or the Device control report for every covered access (`AccessMask` in the entry), regardless of whether it was initiated by the system or by the user who signed in.

-```kusto

-//RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement

-DeviceEvents

-| where ActionType == "RemovableStoragePolicyTriggered"

-| extend parsed=parse_json(AdditionalFields)

-| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)

-| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)

-| extend MediaBusType = tostring(parsed.BusType)

-| extend MediaClassGuid = tostring(parsed.ClassGuid)

-| extend MediaClassName = tostring(parsed.ClassName)

-| extend MediaDeviceId = tostring(parsed.DeviceId)

-| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)

-| extend MediaName = tostring(parsed.MediaName)

-| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)

-| extend MediaProductId = tostring(parsed.ProductId)

-| extend MediaVendorId = tostring(parsed.VendorId)

-| extend MediaSerialNumber = tostring(parsed.SerialNumber)

-|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize

-| order by Timestamp desc

-```

-```kusto

-//information of the evidence file

-DeviceEvents

-| where ActionType contains "RemovableStorageFileEvent"

-| extend parsed=parse_json(AdditionalFields)

-| extend Policy = tostring(parsed.Policy)

-| extend PolicyRuleId = tostring(parsed.PolicyRuleId)

-| extend MediaClassName = tostring(parsed.ClassName)

-| extend MediaInstanceId = tostring(parsed.InstanceId)

-| extend MediaName = tostring(parsed.MediaName)

-| extend MediaProductId = tostring(parsed.ProductId)

-| extend MediaVendorId = tostring(parsed.VendorId)

-| extend MediaSerialNumber = tostring(parsed.SerialNumber)

-| extend FileInformationOperation = tostring(parsed.DuplicatedOperation)

-| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation)

-| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields

-| order by Timestamp desc

-```

-description: Understand capabilities that help prevent user or machine or both from using unauthorized removable storage media

-# Microsoft Defender for Endpoint Device Control Removable Storage Protection

-**Applies to:**

-Device control removable storage protection in Microsoft Defender for Endpoint prevents users, endpoints, or both from using unauthorized removable storage media.

-## Removable storage access control

-**Capabilities**

-To manage external storage, use removable storage access control instead of [device installation](#device-installation).

-**Windows 10 and Windows 11 support details**

-**Supported Platform**

-**macOS support details**

-**Supported platform**

-## Device installation

-**Capabilities** - Prevent installation with or without exclusion based on various device properties.

-**Windows 10 and Windows 11 support details**:

-**Supported Platform**

-**macOS support details**

-**Supported platform**

-## Endpoint DLP Removable storage

-**Capabilities**

-**Description**

-**Supported Platform**

-## BitLocker

-**Capabilities**

-**Description**

-**Supported Platform**

-# Device control report

-Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as using removable storage devices and USB drives. You can use device control events through:

-Select each tab to learn more about these methods.

-The [Microsoft Defender portal](https://security.microsoft.com/advanced-hunting) shows events triggered by the Device Control Removable Storage Access Control and Printer Protection. To access the Microsoft Defender portal, you must have the following subscription:

-The event is sent to Advanced hunting or the device control report for every covered access (`AccessMask` in the entry), regardless of whether it was initiated by the system or by the user who signed in.

-description: This topic provides a walk through about Microsoft Defender for Endpoint Device Control Device Installation

-ms.sitesec: library

-ms.pagetype: security

-# Microsoft Defender for Endpoint Device Control Device Installation

-**Applies to**

-> [!NOTE]

-> If you want to manage removable storage, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control).

-Microsoft Defender for Endpoint Device Control Device Installation enables you to do the following task:

-> [!NOTE]

-> To find the difference between Device Installation and Removable storage access control, see [Microsoft Defender for Endpoint Device Control Removable Storage Protection](/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection?view=o365-worldwide&preserve-view=true).

-|Privilege|Permission|

-|:|:|

-|Access|Device installation |

-|Action Mode|Allow, Prevent |

-|CSP Support|Yes|

-|GPO Support|Yes|

-|User-based Support|No|

-|Machine-based Support|Yes|

-## Prepare your endpoints

-Deploy Device Installation on Windows 10, Windows 11 devices, Windows Server 2022.

-## Device properties

-The following device properties are supported by Device Installation support:

-For more information, see [Device Installation in Windows](/windows/client-management/manage-device-installation-with-group-policy).

-## Policies

-### Allow installation of devices that match any of these Device IDs

-This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is enabled.

-When this policy setting is enabled together with the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:

-If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.

-> [!NOTE]

-> The **Prevent installation of devices not described by other policy settings** policy setting has been replaced by the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting for supported target Windows 10 versions and Windows 11. Use the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting when possible.

-### Allow installation of devices that match any of these device instance IDs

-This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. This policy setting is intended to be used only when the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is enabled.

-When this policy setting is enabled together with the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:

-If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.

-### Allow installation of devices using drivers that match these device setup classes

-This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is allowed to install. This policy setting is intended to be used only when the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is enabled.

-When this policy setting is enabled together with the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting, Windows is allowed to install or update driver packages whose device setup class GUIDs appear in the list you create, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation, such as the following policy settings:

-If the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence.

-### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria

-This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria are applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:

-**Device instance IDs** \> **Device IDs** \> **Device setup class** \> **Removable devices**

-#### Device instance IDs

-1. Prevent installation of devices using drivers that match these device instance IDs.

-2. Allow installation of devices using drivers that match these device instance IDs.

-#### Device IDs

-1. Prevent installation of devices using drivers that match these device IDs.

-2. Allow installation of devices using drivers that match these device IDs.

-#### Device setup class

-1. Prevent installation of devices using drivers that match these device setup classes.

-2. Allow installation of devices using drivers that match these device setup classes.

-#### Removable devices

-Prevent installation of removable devices

-> [!NOTE]

-> This policy setting provides more granular control than the **Prevent installation of devices not described by other policy settings** policy setting. If these conflicting policy settings are enabled at the same time, the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting will be enabled and the other policy setting will be ignored.

-### Prevent installation of devices that match any of these device IDs

-This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.

-> [!NOTE]

-> To enable the **Allow installation of devices that match any of these device instance IDs** policy setting to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting.

-If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

-If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

-### Prevent installation of devices that match any of these device instance IDs

-This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

-If you enable this policy setting, Windows is prevented from installing a device whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

-If you disable or don't configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

-### Prevent installation of devices using drivers that match these device setup classes

-This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.

-> [!NOTE]

-> To enable the **Allow installation of devices that match any of these device IDs** and **Allow installation of devices that match any of these device instance IDs** policy settings to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting.

-If you enable this policy setting, Windows is prevented from installing or updating driver packages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

-If you disable or don't configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

-### Prevent installation of removable devices

-This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device.

-> [!NOTE]

-> To enable the **Allow installation of devices using drivers that match these device setup classes**, **Allow installation of devices that match any of these device IDs**, and **Allow installation of devices that match any of these device instance IDs** policy settings to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. Also, the allow policy won't take precedence if the **Block Removable Storage** option is selected in Device Control.

-If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.

-If you disable or don't configure this policy setting, Windows can install and update driver packages for removable devices as allowed or prevented by other policy settings.

-## Common Removable Storage Access Control scenarios

-To help familiarize you with Microsoft Defender for Endpoint Removable Storage Access Control, we have put together some common scenarios for you to follow.

-### Scenario 1: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive

-For this scenario, following policies will be used:

-#### Deploying and managing policy via Intune

-The Device installation feature allows you to apply policy through Intune to device.

-#### Licensing

-Before you get started with Device installation, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/en-in/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Device installation, you must have Microsoft 365 E3.

-#### Permission

-For Policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions:

-#### Deploying policy

-In the Microsoft Intune admin center [https://endpoint.microsoft.com/](https://endpoint.microsoft.com/)

-1. Configure **Prevent installation of devices using drivers that match these device setup classes**.

- Open **Endpoint security** > **Attack surface reduction** > **Create Policy** > **Platform: Windows 10 (and later) & Profile: Device control**.

- :::image type="content" source="../../media/devicepolicy-editprofile.png" alt-text="The Edit profile page" lightbox="../../media/devicepolicy-editprofile.png":::

-2. Plug in a USB, device and you will see following error message:

- :::image type="content" source="../../media/devicepolicy-errormsg.png" alt-text="The error message" lightbox="../../media/devicepolicy-errormsg.png":::

-3. Enable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria**.

- **only support OMA-URI for now**: **Devices** > **Configuration profiles** > **Create profile** > **Platform: Windows 10 (and later) & Profile: Custom**

- :::image type="content" source="../../media/devicepolicy-editrow.png" alt-text="The Edit Row page" lightbox="../../media/devicepolicy-editrow.png":::

-4. Enable and add allowed USB Instance ID ΓÇô **Allow installation of devices that match any of these device IDs**.

- Update the Device control profile from step 1.

- :::image type="content" source="../../media/devicepolicy-devicecontrol.png" alt-text="An identifier in the Device Control page" lightbox="../../media/devicepolicy-devicecontrol.png":::

- We added `PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB` as shown in the preceding image because it's not enough to enable only a single hardware ID to enable a single USB thumb-drive. You must ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. You can open Device Manager and change the view to **Devices by connections** to see the way devices are installed in the PnP tree. In this case, the following devices must allowed so the target USB thumb-drive could be allowed as well:

- - "Intel(R) USB 3.0 eXtensible Host Controller ΓÇô 1.0 (Microsoft)" -> PCI\CC_0C03

- - "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30

- - "Generic USB Hub" -> USB\USB20_HUB

- :::image type="content" source="../../media/devicepolicy-devicemgr.png" alt-text="The View menu item in the Device Manager page" lightbox="../../media/devicepolicy-devicemgr.png":::

- > [!NOTE]

- > Some devices in the system have several layers of connectivity to define their installation on the system. USB thumb drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic device IDs that are commonly used in systems and could provide a good start to build an "Allow list" in such cases. The following is one example (it is not always the same for all USBs; you need to understand the PnP tree of the device you want to manage through the Device Manager):

- >

- > `PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ USB\USB20_HUB (for Generic USB Hubs)/`

- >

- > Specifically for desktop machines, it's important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices.

- >

- > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done.

-5. Plug in the allowed USB again. You'll see that it's now allowed and available.

- :::image type="content" source="../../media/devicepolicy-removedrive.png" alt-text="The Remove drive details page" lightbox="../../media/devicepolicy-removedrive.png":::

-#### Deploying and managing policy via Group Policy

-The Device installation feature allows you to apply policy through Group Policy.

-#### Deploying policy

-See [Manage Device Installation with Group Policy (Windows 10) - Windows Client](/windows/client-management/manage-device-installation-with-group-policy).

-## View Device Control Removable Storage Access Control data in Microsoft Defender for Endpoint

-The [Microsoft Defender portal](https://sip.security.microsoft.com/homepage) shows removable storage blocked by the Device Control Device Installation.

-```kusto

-//events triggered by Device Installation policies

-DeviceEvents

-| where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed"

-| extend parsed=parse_json(AdditionalFields)

-| extend MediaClassGuid = tostring(parsed.ClassGuid)

-| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)

-| extend MediaDeviceId = tostring(parsed.MatchingDeviceId)

-| project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields

-| order by Timestamp desc

-```

-## Frequently asked questions

-### How do I confirm that a device gets a deployed policy?

-You can use following query to get antimalware client version on the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)):

-```kusto

-//check whether the Device installation policy has been deployed to the target machine, event only when modification happens

-DeviceRegistryEvents

-| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\"

-| order by Timestamp desc

-```

-## Why doesn't the Allow policy work?

-It is not enough to enable only a single hardware ID to enable a single USB thumb-drive. Ensure that all the USB devices that precede the target one aren't blocked (allowed) as well.

-Run `mdatp health -details` to confirm simplified_connectivity: "enabled".

-5. Enable [removable storage protection](device-control-removable-storage-protection.md)

-description: Answers frequently asked questions on MDE Printer Protection.

-ms.sitesec: library

-ms.pagetype: security

-# Printer Protection frequently asked questions

-**Applies to:**

-This article provides answers to frequently asked questions about device control printer protection capabilities in Microsoft Defender for Endpoint.

-## How do I generate GUID for Group ID/PolicyRule ID/Entry ID?

-You can generate the GUID through online open source or by using PowerShell. For more information, see [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).

-## What are the removable storage media and policy limitations?

-The backend call is done through OMA-URI (GET to read or PATCH to update) either from Intune or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files. For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users.

-## Why doesn't the policy work?

-The most common reason is there's no required [anti-malware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints).

-Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**), and then update.

-If you're deploying and managing the policy by using Group Policy, make sure to combine all PolicyRules into one XML file within a parent node called `PolicyRules`. Also combine all Groups into one XML file within a parent node called `Groups`. If you manage through Intune, keep one PolicyRule XML file, and one Group XML file.

-The device (machine) should have a valid certificate. Run the following command on the machine to check:

-`Get-AuthenticodeSignature C:\Windows\System32\wbem\WmiPrvSE.exe`

-If the policy still isn't working, contact support, and share your support cab. To get that file, open Command Prompt as an administrator, and then use the following command:

-`"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles`

-## Why is there no configuration UX for some policy groups?

-There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on your Group Policy. But, you can still get the related `.adml` and `.admx` files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/WindowsDefender.admx) files.

-## How do I confirm that the latest policy has been deployed to the target machine?

-You can run the PowerShell cmdlet `Get-MpComputerStatus` as an administrator. The following value will show whether the latest policy has been applied to the target machine.

-## How can I know which machine is using out of date anti-malware client version in the organization?

-You can use following query to get anti-malware client version on the Microsoft 365 security portal:

-```kusto

-//check the anti-malware client version

-DeviceFileEvents

-|where FileName == "MsMpEng.exe"

-|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"

-|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))

-//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion

-|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion

-|order by PlatformVersion desc

-```

-## How do I find the media property in the Device Manager?

-1. Plug in the media.

-2. Open Device Manager.

- :::image type="content" source="media/screenshot-of-device-manager.png" alt-text="This is the screenshot of device manager." lightbox="media/screenshot-of-device-manager.png":::

-3. Locate the media in the Device Manager, right-click, and then select **Properties**.

- :::image type="content" source="media/locate-the-media.png" alt-text="This is the locate the media screenshot." lightbox="media/locate-the-media.png":::

-4. Open **Details**, and select **Properties**.

- :::image type="content" source="media/details.png" alt-text="This is details screenshot." lightbox="media/details.png":::

-

-

-<a name='how-do-i-find-sid-for-azure-ad-group'></a>

-## How do I find Sid for Microsoft Entra group?

-Different from AD group, the Sid is using Object ID for Microsoft Entra group. You can find the Object ID from Azure portal.

-

-## Why do I see duplicate events from RemovableStoragePolicyTriggered and PrintJobBlocked?

-PrintJobBlocked is designed for [Printer Protection V1](printer-protection.md). Because the new Printer Protection solution is built based on the V1 solution, the system will still use PrintJobBlocked. If you are using the [new Printer Protection](printer-protection-overview.md), RemovableStoragePolicyTriggered is used to track the event.

-description: A walk-through about Microsoft Defender for Endpoint for Printer Protection

-# Printer Protection Overview

-**Applies to:**

-> [!NOTE]

-> The Group Policy management and Intune OMA-URI/Custom Policy management of this product have been released. If you're currently using [Microsoft Defender for Endpoint Device Control Printer Protection](printer-protection-overview.md), we recommend that you upgrade.

-## Overview

-Microsoft Defender for Endpoint Device Control Printer Protection feature enables you to audit, allow, or prevent printer with or without exclusions.

-|Privilege|Permission|

-||::|

-|Access|Read, Write, Execute|

-|Action Mode|Audit, Allow, Prevent|

-|CSP Support|Yes|

-|GPO Support|Yes|

-|User-based Support|Yes|

-|Machine-based Support|Yes|

-### Prerequisites for preview

-Ensure that the Windows devices that you need to onboard should meet the following requirements:

-1. Install the right OS KB:

- - Windows 10 and later (20H2, 21H1, 21H2, and later) - [KB5020030](https://support.microsoft.com/en-us/topic/november-15-2022-kb5020030-os-builds-19042-2311-19043-2311-19044-2311-and-19045-2311-preview-237a9048-f853-4e29-a3a2-62efdbea95e2)

- - Win 11 21H2 - [KB5019157](https://support.microsoft.com/en-us/topic/november-15-2022-kb5019157-os-build-22000-1281-preview-d64fb317-3435-49ff-b2c4-d0356a51a6b0)

- - Win 11 22H2 - [KB5020044](https://support.microsoft.com/en-us/topic/november-29-2022-kb5020044-os-build-22621-900-preview-43f0bdf9-0b75-4110-bab3-3bd2433d84b3)

-2. MOCAMP:4.18.2205 or later, you can run the command `Get-MpComputerStatus` in PowerShell to check the version.

-### Device control printer protection properties

-The printer protection comprises group and policy configurations:

-#### Group configuration

-Group configuration includes the following types:

-The following table lists the properties you can use in **Group**:

-|Property Name|Description|Options|

-||||

-|Group ID|GUID, a unique ID, represents the group and to be used in the policy.|You can generate the group ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)|

-|Name|String, the name of the policy and that displays on the toast based on the policy setting.|

-|Type|The type of the group.|<ul><li>Device</li><li>Network</li><li>VPN Connection</li><li>PrintJob</li></ul> <p> **Note:** Default type is Device that includes removable storage and printer. For any other group you define in your Group setting, make sure explicitly mark Type, for example, Type="File".|

-|DescriptorIdList|List the device properties you want to use to cover in the group. All properties are case sensitive.|When the Group type is Device, you can use the following attributes inside DescriptorIdList: <ul><li>PrimaryId: The Primary ID includes: <ul><li>RemovableMediaDevices</li><li>CdRomDevices</li><li>WpdDevices</li><li>PrinterDevices</li></ul></li><li>FriendlyNameId: A string that's attached to the device (the same string as the Friendly name in Device Manager). For example, `Generic Flash Disk USB Device`.</li><li>Device instance path (VID_PID): <ul><li>Vendor ID (VID): The four-digit vendor code that's assigned to the vendor by the USB committee.</li><li>Product ID (PID): The four-digit product code that's assigned to the device by the vendor. Wildcards are supported.</li></ul> <p> To transform the Device instance path to the VID_PID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <ul><li>`0751_55E0` matches that exact VID_PID pair value.</li><li>`_55E0` matches any device with the PID value 55E0.</li><li>`0751_` matches any device with the VID value 0751.</li></ul></li><li>PrinterConnectionId: Includes the following values: <ul><li>USB: A printer that's connected through USB port of a computer. You can use this value to enforce any USB printer. To define a specific USB printer, use the VID_PID.</li><li>Corporate: A print queue that's shared through a Windows print server in your on-premises domain. For example, `\print-server\contoso.com\legal_printer_001`.</li><li>Network: A printer that's accessible by network connection, making it usable by other computers that are connected to the network.</li><li>Universal: For more information about universal printers, see [Set up Universal Print](/universal-print/fundamentals/universal-print-getting-started).</li><li>File: Microsoft Print to PDF or Microsoft XPS Document Writer. To enforce Microsoft Print to PDF only, use the FriendlyNameId value 'Microsoft Print to PDF'.</li><li>Custom: A printer that doesn't connect through a Microsoft print port.</li><li>Local: A printer that connects through a Microsoft print port, but not any of the previously described types. For example, print through Remote Desktop or redirect printer.</li></ul> </li></ul> <p> **When the Group type is Network, you can use the following attributes inside DescriptorIdList**: <ul><li>NameId: The name of the Network. Wildcards are supported.</li><li>NetworkCategoryId: Public, Private, or DomainAuthenticated.</li><li>NetworkDomainId: NonDomain, Domain, or DomainAuthenticated.</li></ul> <p> **When the Group type is VPNConnection, you can use the following attributes inside DescriptorIdList**: <ul><li>NameId: The name of the VPN Connection. Wildcards are supported.</li><li>VPNConnectionStatusId: Connected or Disconnected.</li><li>VPNServerAddressId: The value of VPNServerAddress (string). Wildcards are supported.</li><li>VPNDnsSuffixId: The value of VPNDnsSuffix (string). Wildcards are supported.</li></ul> <p> **When the Group type is PrintJob, you can use the following attributes inside DescriptorIdList**: <ul><li>PrintOutputFileNameId: The output destination file path for print to file. Wildcards are supported. For example, `C:\*\Test.pdf`</li><li>PrintDocumentNameId: The source file path. Wildcards are supported. This path might not exist. For example, add text to a new file in Notepad, and then print without saving the file.</li></ul>|

-|MatchType|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|<ul><li>**MatchAll**: Any attributes under the DescriptorIdList are an "And" relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system checks to see whether the USB meets both values. </li><li>**MatchAny**: The attributes under the DescriptorIdList are an "Or" relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, the system enforces as long as the USB has either an identical DeviceID or InstanceID value.</li><li>**MatchExcludeAll**: The attributes under the DescriptorIdList are an "And" relationship, any items that do NOT meet are covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system enforces as long as the USB doesn't have both identical DeviceID and InstanceID value.</li><li>**MatchExcludeAny**: The attributes under the DescriptorIdList are an "Or" relationship, any items that do NOT meet are covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system enforces as long as the USB doesn't have either an identical DeviceID or InstanceID value.</li></ul>|

-## Access policy rule

-Every access policy rule called PolicyRule can be used to define access restriction for each Device type group through multiple entries.

-The following table lists the properties you can use in **PolicyRule**:

-|Property Name|Description|Options|

-||||

-|PolicyRule ID|GUID, a unique ID, represents the policy and is used in reporting and troubleshooting.|You can generate the group ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)|

-|Name|String, the name of the policy displays on the toast based on the policy setting and is captured in the reporting.|

-|IncludedIdList|The group(s) that the policy is applied to. If multiple groups are added, the policy is applied to any media in all those groups.|The Group ID/GUID must be used at this instance. The following example shows the usage of GroupID: {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1} <p> **Note**: You shouldn't add multiple groups inside IncludedIdList. Instead, add all groups into a new group and then add the new group inside IncludedIdList.|

-|ExcludedIDList|The group(s) that the policy isn't applied to.|The Group ID/GUID must be used at this instance.|

-|Entry|One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.|See the entry properties table for more details.|

-The following table lists the properties you can use in **Entry**:

-|Property Name|Description|Options|

-||||

-|PolicyRule ID|GUID, a unique ID, represents the policy and is used in the reporting and troubleshooting.|You can generate the group ID through [PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.3&preserve-view=true)|

-|Type|Defines the action for the removable storage groups in IncludedIDList. <ul><li>Enforcement: Allow or Deny</li><li>Audit: AuditAllowed or AuditDenied</li></ul>|<ul><li>Allow</li><li>Deny</li><li>AuditAllowed: Defines event when access is allowed</li><li>AuditDenied: Defines notification and event when access is denied; has to work together with Deny entry.</li></ul> <p> When there are conflict types for the same media, the system applies the first one in the policy. An example of a conflict type is **Allow** and **Deny**.|

-|Sid|Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Microsoft Entra object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine.|

-|ComputerSid|Local computer Sid or computer Sid group or the Sid of the AD object or the Object ID of the Microsoft Entra object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry.|

-|Options|Defines whether to display notifications or not|**When Type Allow is selected:** <ul><li>0: nothing</li><li>4: disable AuditAllowed and AuditDenied for this entry. Even if Allow happens and the AuditAllowed is setting configured, the system doesn't send events.</li><li>8: capture a copy of the file as evidence; and must be used together with the **Set location for a copy of the file** setting</li></ul> <p> **When Type Deny is selected:**<ul><li>0: nothing</li><li>4: disable AuditDenied for this entry. Even if Block happens and the AuditDenied is setting configured, the system won't show notifications.</li></ul> <p> **When Type AuditAllowed is selected:** <ul><li>0: nothing</li><li>1: nothing</li><li>2: send events</li></ul> <p> **When Type AuditDenied is selected:** </ul><li>0: nothing</li><li>1: show notifications</li><li>2: send events</li><li>3: show notifications and send events</li></ul>|

-|AccessMask|Defines the access.| <li>64: print</li>

-|Parameters|Condition for this Entry, for example, network condition.|Can add groups (non-devices type) or even put Parameters into Parameters. See Parameters properties table below for more details.|

-The table below lists the properties you can use in **Parameters**:

-|Property Name|Description|Options|

-||||

-|MatchType|When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.|**MatchAll:** <ul><li> Any attributes under the DescriptorIdList are an "And" relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system checks to see whether the USB meets both values.</li></ul> <p> **MatchAny:** <ul></li>The attributes under the DescriptorIdList are an "Or" relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system enforces as long as the USB has either an identical DeviceID or InstanceID value.</li></ul> <p> **MatchExcludeAll:** <ul><li>The attributes under the DescriptorIdList are an "And" relationship, any items that do NOT meet are covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAll, for every connected USB, system enforces as long as the USB doesn't have both identical DeviceID and InstanceID value.</li></ul> <p> **MatchExcludeAny:** <ul><li>The attributes under the DescriptorIdList are an "Or" relationship, any items that do NOT meet are covered. For example, if administrator puts DeviceID and InstancePathID and uses MatchExcludeAny, for every connected USB, system enforces as long as the USB doesn't have either an identical DeviceID or InstanceID value.</li></ul>|

-|PrintJob Network VPNConnection|The PrintJob or Network or VPNConnection group(s) created above.|Use the GroupId of the PrintJob or Network or VPNConnection group(s) created above.|

-|Parameters|You can embed Parameters inside Parameters with MatchType.|

-## Enduser experience

-You can view the policy name and printer information if you have right options setting in your policy.

-description: Microsoft Defender for Endpoint Device Control Printer Protection blocks people from printing via non-corporate printers or non-approved USB printer.

-# Device Control Printer Protection

-**Applies to**

-> [!NOTE]

-> If you want to manage printers, see [Microsoft Defender for Endpoint Device Control Printer Protection](printer-protection-overview.md).

-Microsoft Defender for Endpoint Device Control Printer Protection blocks people from printing via non-corporate printers or non-approved USB printer.

-## Licensing

-Before you get started with Printer Protection, you should [confirm your Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1). To access and use Printer Protection, you must have the following:

-## Permission

-For Policy deployment in Intune, to deploy policy via OMA-URI, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions:

-To see device configuration reports, the account must have view reports permissions. You can create custom roles or use the built-in roles with these permissions:

-## Prepare your endpoints

-Make sure that the Windows 10 or Windows 11 devices that you plan on deploying Printer Protection to meet these requirements.

-1. The following Windows Updates are installed.

- - For Windows 1809: install Windows Update [KB5003217](https://support.microsoft.com/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46)

- - For Windows 1909: install Windows Update [KB5003212](https://support.microsoft.com/topic/may-20-2021-kb5003212-os-build-18363-1593-preview-05381524-8380-4b30-b783-e330cad3d4a1)

- - For Windows 2004 or later

-2. If you're planning to deploy policy via Group Policy, the device must be onboarded to Microsoft Defender for Endpoint joined; if you're planning to deploy policy via Microsoft Intune, the device must be joined by using Microsoft Intune.

-## Deploy Device Control Printer Protection policy

-You can deploy the policy via Group Policy or Intune.

-|Title|Description|CSP Support | GPO Support | User-based Support | Machine-based Support |

-|||::|::|::|::|

-|**Enable Device control Printing Restrictions**|Block people from printing via non-corporate printer|Yes|Yes|Yes|Yes|

-|**List of Approved USB-connected print devices**\*|Allow specific USB printer|Yes|Yes|Yes|Yes|

-\* This policy must be used together with **Enable Device control Printing Restrictions**.

-## Deploy policy via Intune

-For Intune, currently Device Control Printer Protection supports OMA-URI only.

-### Scenario 1: Block people from printing via any non-corporate printer using Intune

- `./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl`

- `./User/Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser`

-The CSP support string with `<enabled/>`:

-### Scenario 2: Allow specific approved USB printers using Intune

- `./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices`

- `./User/Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser`

-The CSP support string with approved USB printers via 'ApprovedUsbPrintDevices' property. Example: `<enabled/><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>`:

-## Deploy policy via Group Policy

-If the device isn't Intune joined, you can also deploy the policy via Group Policy.

-### Scenario 1: Block people from printing via any non-corporate printer using Group Policy

- Computer Configuration \> Administrative Templates \> Printer: Enable Device control Printing Restrictions

- User Configuration \> Administrative Templates \> Control Panel \> Printers: Enable Device control Printing Restrictions

-### Scenario 2: Allow specific approved USB printers using Group Policy

- Computer Configuration \> Administrative Templates \> Printer: List of Approved USB-connected print devices

- User Configuration \> Administrative Templates \> Control Panel \> Printers: List of Approved USB-connected print devices

-## View Device Control Printer Protection data in Microsoft Defender for Endpoint portal

-The <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender portal</a> shows printing blocked by the Device Control Printer Protection policy above.

-```kusto

-DeviceEvents

-| where ActionType == 'PrintJobBlocked'

-| extend parsed=parse_json(AdditionalFields)

-| extend PrintedFile=tostring(parsed.JobOrDocumentName)

-| extend PrintPortName=tostring(parsed.PortName)

-| extend PrinterName=tostring(parsed.PrinterName)

-| extend Policy=tostring(parsed.RestrictionReason)

-| project Timestamp, DeviceId, DeviceName, ActionType, InitiatingProcessAccountName, Policy, PrintedFile, PrinterName, PrintPortName, AdditionalFields

-| order by Timestamp desc

-```

- :::image type="content" source="../../media/device-control-advanced-hunting.png" alt-text="advanced hunting" lightbox="../../media/device-control-advanced-hunting.png":::

- You can use the PnP event to find the USB printer used in the organization:

-```kusto

-//find the USB Printer VID/PID

-DeviceEvents

-| where ActionType == "PnpDeviceConnected"

-| extend parsed=parse_json(AdditionalFields)

-| extend DeviceDescription = tostring(parsed.DeviceDescription)

-| extend PrinterDeviceId = tostring(parsed.DeviceId)

-| extend VID_PID_Array = split(split(PrinterDeviceId, "\\")[1], "&")

-| extend VID_PID = replace_string(strcat(VID_PID_Array[0], '/', VID_PID_Array[1]), 'VID_', '')

-| extend VID_PID = replace_string(VID_PID, 'PID_', '')

-| extend ClassId = tostring(parsed.ClassId)

-| extend VendorIds = tostring(parsed.VendorIds)

-| where DeviceDescription == 'USB Printing Support'

-| project Timestamp , DeviceId, DeviceName, ActionType, DeviceDescription, VID_PID, ClassId, PrinterDeviceId, VendorIds, parsed

-| order by Timestamp desc

-```

- :::image type="content" source="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png" alt-text="The Advanced Hunting page" lightbox="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png":::

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, big sur, monterey, ventura, mde for mac

-ms.sitesec: library

-ms.pagetype: security

-curl -o ~/Downloads/eicar.com.txt

- 1. Microsoft Intune support for removable storage access control is now available. See [Deploy Removable Storage Access Control by using Intune user interface](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-user-interface)

- - Intune: *./Vendor/MSFT/Defender/Configuration/DefaultEnforcement* <br> See [Deploy and manage Removable Storage Access Control using Intune](deploy-manage-removable-storage-intune.md)

- - Group policy: *Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement*<br> See [Deploy and manage Removable Storage Access Control using group policy](deploy-manage-removable-storage-group-policy.md)

-[Printer Protection Overview](printer-protection-overview.md)

-|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) isn't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</li><li>Azure B2B invited guests aren't supported by Defender XDR RBAC, for experiences that were previously under Exchange Online RBAC.</li></ul>|

-Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You're also warned about software that is unknown to us.

-You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). Submitting files for analysis helps ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md)

-Malware is the overarching name for applications and other code, like software, that Microsoft classifies more granularly as *malicious software*, *unwanted software*, or *tampering software*.

-Malicious software is an application or code that compromises user security. Malicious software might steal your personal information, lock your device until you pay a ransom, use your device to send spam, or download other malicious software. In general, malicious software wants to trick, cheat, or defrauds users, placing them in vulnerable states.

-* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a key logger, which collects and sends information about the keys you press and websites you visit.

-* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [Learn more about ransomware](/security/ransomware/).

-* **Trojan clicker:** A type of trojan that automatically selects buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device.

-Software must not mislead or coerce you into making decisions about your device. It's considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:

-Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered nonextensible and shouldn't be modified.

-#### Tampering software

-Tampering software encompasses a broad spectrum of tools and threats that directly or indirectly lower the overall level of security of devices. Examples of common tampering actions include:

-* **Disabling or uninstalling security software**: Tools and threats that attempt to evade defense mechanisms by disabling or uninstalling security software, such as antivirus, EDR, or network protection systems. These actions leave the system vulnerable to further attacks.

-

-* **Abusing operating system features and settings**: Tools and threats that exploit features and settings within the operating system to compromise security. Examples include:

- - **Firewall abuse**: Attackers using firewall components to indirectly tamper with security software or block legitimate network connections, potentially enabling unauthorized access or data exfiltration.

- - **DNS manipulation**: Tampering with DNS settings to redirect traffic or block security updates, leaving the system exposed to malicious activities.

- - **Safe mode exploitation**: Leveraging the legitimate `Safe Mode` setting to put the device in a state where security solutions might be bypassed, allowing for unauthorized access or malware execution.

-* **Manipulating system components**: Tools and threats that target critical system components, such as kernel drivers or system services, to compromise the overall security and stability of the device.

-

-* **Privilege escalation**: Techniques aimed at elevating user privileges to gain control over the system's resources and potentially manipulate security settings.

-

-* **Interfering with security updates**: Attempts to block or manipulate security updates, leaving the system vulnerable to known vulnerabilities.

-

-* **Disrupting critical services**: Actions that disrupt essential system services or processes, potentially causing system instability and opening the door for other attacks.

-

-* **Unauthorized registry changes**: Modifications to the Windows Registry or system settings that impact the security posture of the device.

-

-* **Tampering with boot processes**: Efforts to manipulate the boot process, which can result in the loading of malicious code during startup.

-*PUAs aren't considered malware.*

-* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. Such software includes software that inserts advertisements to webpages.

-* **Bundling software:** Software that offers to install other software that isn't developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.

-## Vulnerable software

-Vulnerable software is an application or code that has security flaws or weaknesses which can be exploited by attackers to perform various malicious and potentially destructive actions. These vulnerabilities may stem from unintentional coding errors or design flaws, and if exploited, can lead to harmful activities such as unauthorized access, privilege escalation, tampering, and more.

-### Vulnerable drivers

-Despite strict requirements and reviews imposed on code running in kernel, device drivers remain susceptible to various types of vulnerabilities and bugs. Examples include memory corruption and arbitrary read and write bugs, which can be exploited by attackers to execute more significant malicious and destructive actions -ΓÇô actions typically restricted in user mode. Terminating critical processes on a device is an example of such malicious action.

-|Mail traffic|[Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) <p> [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport)|

- - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.